def Logminer(): ChooseEvtx=input(bold('请选择的日志序号: (1.应用日志;2.安全日志;3.系统日志)\n\n')+Input()) if ChooseEvtx == '1': EvtxPath= r"C:\WINDOWS\System32\Winevt\Logs\Application.evtx" elif ChooseEvtx == '2': EvtxPath= r"C:\WINDOWS\System32\Winevt\Logs\Security.evtx" else: EvtxPath= r"C:\WINDOWS\System32\Winevt\Logs\System.evtx" try:#默认选择&&防止转换失败 EventID=int(input(bold('请输入提取的事件ID: (默认:4624)\n\n')+Input())) except: EventID=4624 try: with open(EvtxPath,'r') as f: with contextlib.closing(mmap.mmap(f.fileno(),0,access=mmap.ACCESS_READ)) as buffer: bufferHeader = FileHeader(buffer,0) for xml, record in evtx_file_xml_view(bufferHeader): InterestEvent(xml,EventID) print(Result+"日志审计完毕……") except: print(Processing+'提示:由于Python权限低无法读取系统文件,需手动复制文件于当前目录,且文件名改为“log.evtx”!') with open(r"./log.evtx",'r') as f:#可写死文件目录结局python权限低导致无法读取系统某些目录 with contextlib.closing(mmap.mmap(f.fileno(),0,access=mmap.ACCESS_READ)) as buffer: bufferHeader = FileHeader(buffer,0) print("") print(Processing+"读取成功,正在检查数据……") for xml, record in evtx_file_xml_view(bufferHeader): InterestEvent(xml,EventID) print(Result+"日志审计完毕……")
def main(): final_count = {} evt = input('[1]获取系统安全日志\n[2]获取evtx日志文件\n') if evt == "1": try: query = EventLog.Query("Security", "Event/EventData/Data[@Name='LogonType']") print('<----------start---------->') for event in query: i = event.xml final_count = analyze(i,final_count) except: input('请以管理员的方式打开,按回车键退出') return elif evt == "2": EvtxPath = input('[*]请输入文件路径:') with open(EvtxPath, 'r') as f: with contextlib.closing(mmap.mmap(f.fileno(), 0, access=mmap.ACCESS_READ)) as buf: print('<----------start---------->') fh = FileHeader(buf, 0) for xml, record in evtx_file_xml_view(fh): final_count = analyze(xml,final_count) file = 'log{}.html'.format(''.join([str(x) for x in time.localtime(int(time.time()))])) with open(file, 'w', encoding='utf-8') as f: f.write(html_head + str(final_count) + "\nlet timeList=" + str(time_list) + html_foot) print(file + "已保存") input('按回车键退出')
def ParseEvtx(files): writefile = open("..\\RESULTS\\EventLog.txt", "a+") with Evtx(files) as evtx: total = sum(1 for i in evtx.records()) with open(files, 'r') as f: with contextlib.closing( mmap.mmap(f.fileno(), 0, access=mmap.ACCESS_READ)) as buf: fh = FileHeader(buf, 0x0) writefile.write( "<?xml version=\"1.0\" encoding=\"utf-8\" standalone=\"yes\" ?>" ) writefile.write("<Events>") count = 0 for xml, record in evtx_file_xml_view(fh): count += 1 writefile.write(ascii(xml)) bar_len = 55 filled_len = int(round(bar_len * count / float(total))) percents = round(100.0 * count / float(total), 1) bar = '=' * filled_len + '-' * (bar_len - filled_len) sys.stdout.write('[%s] %s%s %s/%s \r' % (bar, percents, '%', count, total)) sys.stdout.flush() writefile.write("</Events>") print print
def dump_event_log(event_file, xml_format): if os.path.isfile(event_file) is False: print("The log file : " + event_file + " is not found.") return print("USB related event(s) found in the event log :") print("=============================================\n") with open(event_file, 'r') as f: with contextlib.closing( mmap.mmap(f.fileno(), 0, access=mmap.ACCESS_READ)) as buf: fh = FileHeader(buf, 0x0) for xml, record in evtx_file_xml_view(fh): root = ET.fromstring(xml) if root[0][1].text == '1003': if xml_format: print xml else: print root[0][7].get( 'SystemTime' ) + " EventID : " + root[0][ 1].text + " Computer : " + root[0][ 12].text + " User SID : " + root[0][13].get( 'UserID' ) + " User : "******"\n"
def printToAscii(buf): fh = FileHeader(buf, 0x0) print("<?xml version=\"1.0\" encoding=\"utf-8\" standalone=\"yes\" ?>") print("<Events>") for xml, record in evtx_file_xml_view(fh): print(ascii(xml)) print("</Events>")
def xml_records(filename): if OPTIONS.alternate: with Evtx(filename) as evtx: try: for xml, record in evtx_file_xml_view(evtx.get_file_header()): try: yield ef.to_lxml(xml), None except etree.XMLSyntaxError as e: yield xml, e except BinaryParser.OverrunBufferException as e: logging.error("Overrun Buffer Exception!") yield None, e except BinaryParser.ParseException as e: logging.error("Parse Exception!") yield None, e except Exception as e: # UnicodeDecodeError, AttributeError logging.error(e) yield None, e else: parser = PyEvtxParser(filename) try: for record in parser.records(): try: yield ef.to_lxml(record['data']), None except etree.XMLSyntaxError as e: yield record['data'], e except Exception as e: # UnicodeDecodeError, AttributeError, RuntimeError logging.error(e) yield None, e
def xml_records(filename): with Evtx(filename) as evtx: for xml, record in evtx_file_xml_view(evtx.get_file_header()): try: yield to_lxml(xml), None except etree.XMLSyntaxError as e: yield xml, e, fh
def get_Scripts(evtx): ''' Returns powershell scripts that were run on the system by parsing the Windows Powershell Logs. ''' ps_scripts_ran = [] for xml, record in evtx_file_xml_view(evtx.get_file_header()): try: for entry in to_lxml(xml): record_id = entry.xpath("/Event/System/EventRecordID")[0].text ctime = entry.xpath("/Event/System/TimeCreated")[0].get( "SystemTime") event_id = to_lxml(xml).xpath("/Event/System/Task")[0].text try: script_name = script_re.search( str( to_lxml(xml).xpath("/Event/EventData/Data/string") [1].text)).group("scriptname") message = str( to_lxml(xml).xpath("/Event/EventData/Data/string") [2].text).strip() ps_scripts_ran.append([ record_id, str(ctime).replace(" ", "T") + "Z", event_id, script_name, message ]) except (IndexError, AttributeError) as e: continue except etree.XMLSyntaxError as e: continue return ps_scripts_ran
def parse_window_event_viewer(atm): atm.microsoft_event_viewer.file.open(mode='rb') data = atm.microsoft_event_viewer.file.read() fh = FileHeader(data, 0x0) for xml_line, record in evtx_file_xml_view(fh): # get date match = re.search(r'<TimeCreated SystemTime=\".*\"', xml_line) if not match: continue match = re.search(r'\d{2,4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2}', match.group()) if not match: continue date = match.group() # event record id match = re.search(r'<EventRecordID>\d*', xml_line) if not match: continue match = re.search(r'\d+', match.group()) event_record_id = match.group() # event id match = re.search(r'<EventID Qualifiers="(\d+)?">\d+', xml_line) if not match: continue event_id = match.group().split(">")[1] context = xml_line AtmEventViewerEvent.objects.get_or_create( atm=atm, event_date=date, event_id=event_id, event_record_id=event_record_id, context=context )
def readLogFile(self, filename): # parser = argparse.ArgumentParser( # description="Dump a binary EVTX file into XML.") # parser.add_argument("--cleanup", action="store_true", # help="Cleanup unused XML entities (slower)"), # parser.add_argument("evtx", type=str, # help="Path to the Windows EVTX event log file") # args = parser.parse_args() if(os.name == 'posix'): log_dir = log_dir_linux else: log_dir = log_dir_windows with open(os.path.join(log_dir, filename), 'r') as f: with contextlib.closing(mmap.mmap(f.fileno(), 0, access=mmap.ACCESS_READ)) as buf: fh = FileHeader(buf, 0x0) print "<?xml version=\"1.0\" encoding=\"utf-8\" standalone=\"yes\" ?>" print "<Events>" count = 0 for xml, record in evtx_file_xml_view(fh): print xml count += 1 print "</Events>" print count, "events found"
def xml_records(filename): if args.evtx: with Evtx(filename) as evtx: for xml, record in evtx_file_xml_view(evtx.get_file_header()): try: yield to_lxml(xml), None except etree.XMLSyntaxError as e: yield xml, e if args.xmls: with open(filename, 'r') as fx: xdata = fx.read() fixdata = xdata.replace( "<?xml version=\"1.0\" encoding=\"utf-8\" standalone=\"yes\"?>", "").replace("</Events>", "").replace("<Events>", "") # fixdata = xdata.replace("<?xml version=\"1.0\" encoding=\"utf-8\" standalone=\"yes\"?>", "") del xdata xml_list = re.split( "<Event xmlns=[\'\"]http://schemas.microsoft.com/win/2004/08/events/event[\'\"]>", fixdata) del fixdata for xml in xml_list: if xml.startswith("<System>"): try: yield to_lxml("<Event>" + xml), None except etree.XMLSyntaxError as e: yield xml, e
def ParseEvtx(files): writefile = open("..\\RESULTS\\EventLog.txt", "a+") with Evtx(files) as evtx: total = sum(1 for i in evtx.records()) with open(files, 'r') as f: with contextlib.closing(mmap.mmap(f.fileno(), 0, access=mmap.ACCESS_READ)) as buf: fh = FileHeader(buf, 0x0) writefile.write("<?xml version=\"1.0\" encoding=\"utf-8\" standalone=\"yes\" ?>") writefile.write("<Events>") count = 0 for xml, record in evtx_file_xml_view(fh): count += 1 writefile.write(ascii(xml)) bar_len = 55 filled_len = int(round(bar_len * count / float(total))) percents = round(100.0 * count / float(total), 1) bar = '=' * filled_len + '-' * (bar_len - filled_len) sys.stdout.write('[%s] %s%s %s/%s \r' % (bar, percents, '%', count, total)) sys.stdout.flush() writefile.write("</Events>") print print
def on_task_input(self, task, config): from Evtx.Evtx import FileHeader from Evtx.Views import evtx_file_xml_view entries = [] t1 = datetime.now() ntot = 0 nerr = 0 # WARNING: to open an active Windows eventlog files (i.e. those in the # %SystemRoot%\System32\Winevt\Logs\ path) Flexget will need to run as # Administrator, otherwise open() will raise a "permission denied" # error. Exported logs can be accessed without special permissions. with open(config['filename'], 'r') as f: with contextlib.closing(mmap.mmap(f.fileno(), 0, access=mmap.ACCESS_READ)) as buf: fh = FileHeader(buf, 0x0) for xml, record in evtx_file_xml_view(fh): ntot += 1 # some cleaning: namespaces here only makes accessing # nodes more difficult, while EventData content sometimes # fails ElementTree parsing (and it's useless too). xml = xml.replace(' xmlns="http://schemas.microsoft.com/win/2004/08/events/event"', '') if '<EventData>' in xml: i1 = xml.index('<EventData>')-1 i2 = xml.index('</EventData>')+12 xml = xml[:i1] + xml[i2:] try: node = ET.fromstring(xml).find('System') except: nerr += 1 # malformed XML? lets skip this one... continue xprn = node.find('Provider').attrib['Name'] for prov in config['providers']: cprn = prov.keys()[0] if cprn == xprn: erid = node.find('EventRecordID').text xeid = int(node.find('EventID').text) text = None for e in prov[cprn]['events']: ceid = e if type(e) is int else e.keys()[0] if ceid == xeid: try: text = e[ceid] except: text = 'Undefined' if text: entry = Entry() entry['title'] = entry['url'] = erid entry['provider'] = cprn entry['short_name'] = prov[cprn]['short'] if 'short' in prov[cprn] else cprn entry['event_id'] = xeid entry['event_text'] = text entry['event_time'] = datetime.strptime(node.find('TimeCreated').attrib['SystemTime'], '%Y-%m-%d %H:%M:%S') entries.append(entry) break t2 = datetime.now() res = 'Parsed %d events in %d seconds' % (ntot, (t2-t1).seconds) if nerr: res += (' (%d skipped for xml issues)' % nerr) log.verbose(res) return entries
def import_xml(filename): # 4624 - Login 528 # 4647 - Logoff 551 #[*] Keys: Category, Description, Data, Domain\User, Date&Time, Source, Computer, Time, Date, Type, Event sessions = {} user_sessions = {} count = 0 with open(filename, 'r') as f: print "[*] Reading EVTX file %s" % filename with contextlib.closing(mmap.mmap(f.fileno(), 0, access=mmap.ACCESS_READ)) as buf: fh = FileHeader(buf, 0x0) count = 0 for xml, record in evtx_file_xml_view(fh): if (count % 2000) == 0: print "%s records read" % count count +=1 match = eid_regex.search(xml) eid = int(match.group('eid')) session_id = get_data(xml, 'TargetLogonId') # Insert new session in dictionary if sessions.get(session_id, None) == None: sessions[session_id] = {} if eid in EVTX_LOGIN: if session_id: sessions[session_id] = {} else: continue info = {} info['logon_type'] = get_data(xml, 'LogonType') info['eid'] = str(eid) info['ip'] = get_data(xml, 'IpAddress') + ':' + get_data(xml, 'IpPort') info['datetime'] = parse(time_regex.search(xml).group('time')[:-7]) sessions[session_id][str(eid)] = info username = get_data(xml, 'TargetDomainName') + '\\' + get_data(xml, 'TargetUserName') sessions[session_id]['username'] = username elif eid in EVTX_LOGOFF: # Ignore if orphan session if not sessions.get(session_id, None) == None: continue info = {} info['eid'] = str(eid) info['datetime'] = parse(time_regex.search(xml).group('time')[:-7]) sessions[session_id][str(eid)] = info return sessions
def main(): parser = argparse.ArgumentParser( description="Find and Extract Windows Bits Events and output CSV", usage= 'parse_evtx_BITS.py Microsoft-Windows-Bits-Client%4Operational.evtx -n' ) parser.add_argument( "evtx", type=str, help='Microsoft-Windows-Bits-Client%4Operational.evtx ') parser.add_argument("-n", "--NoHeader", default=False, action="store_true", help="Do not print Header") args = parser.parse_args() if not args.NoHeader: print(Bits_Header) with open(args.evtx, 'r') as f: with contextlib.closing( mmap.mmap(f.fileno(), 0, access=mmap.ACCESS_READ)) as buf: fh = FileHeader(buf, 0x0) for xml, record in evtx_file_xml_view(fh): soup = BeautifulSoup(xml, "lxml") Date = soup.event.system.timecreated['systemtime'] Date = Date[:-7] EventID = int(soup.event.system.eventid.string) Computer = soup.event.system.computer.string ProcessID = soup.event.system.execution['processid'] ThreadID = soup.event.system.execution['threadid'] if EventID in bits_ids: event_info = "%s,%s,%s,%s,%s,%s," % ( Date, EventID, bits_ids[EventID], Computer, ProcessID, ThreadID) try: event_data = {} for child in soup.eventdata.children: if type(child) is element.Tag: val = child.text.replace(',', ';') event_data[child['name']] = ' '.join( val.split()) event_data_result = [] for value in bits_data: result = event_data.get(value) if result is None: result = '' event_data_result.append(result) output = ((event_info) + ','.join(map(str, event_data_result))) print(output) except: pass
def get_entries(evtx): """ @rtype: generator of Entry """ for xml, record in evtx_file_xml_view(evtx.get_file_header()): try: yield Entry(xml, record) except etree.XMLSyntaxError as e: continue
def xml_records(filename): with Evtx(filename) as evtx: for xml, record in evtx_file_xml_view(evtx.get_file_header()): try: logger.debug("Yielding XML") yield to_lxml(xml), None except etree.XMLSyntaxError as e: logger.error(e) yield xml, e
def parse_logs(file_path): xml_data = '' with open(file_path, 'r') as f: with contextlib.closing( mmap.mmap(f.fileno(), 0, access=mmap.ACCESS_READ)) as buf: fh = FileHeader(buf, 0) # 遍历事件,创建Event事件 for xml, record in evtx_file_xml_view(fh): xml_data += xml return xml_data # 返回解析后的XML数据
def get_xml_info(): for evt_buff in get_evt_buff(system_evt): fh = evtx.FileHeader(evt_buff, 0x0) for record_str, record in evtx_file_xml_view(fh): print record_str system = get_child(to_lxml(record_str.decode("gbk").encode("utf-8")), 'System') print get_child(system, 'EventID').text break
def xml_records(filename): try: with Evtx(filename) as evtx: for xml, record in evtx_file_xml_view(evtx.get_file_header()): try: yield etree.fromstring(xml), None except etree.XMLSyntaxError as e: yield xml, e except IOError as e: sys.stderr.write("Error: Cannot open file {}\n".format(filename)) sys.exit(2)
def parse_log_detail(self, filteID): with open(self.path, 'r') as f: with contextlib.closing( mmap.mmap(f.fileno(), 0, access=mmap.ACCESS_READ)) as buf: fh = FileHeader(buf, 0) for xml, record in evtx_file_xml_view(fh): # 只输出事件ID为4624的内容 # InterestEvent(xml,4624) for time_create, IpAddress, ip, IpPort, targetUsername, ProcessName in self.filter_event( xml, filteID): self.printer(time_create, IpAddress, IpPort, ip, targetUsername, ProcessName)
def EvtxtoXml(path): # event log 파일인 evtx를 xml 형태로 변형해서 처리 no = 0 with open(path, 'r') as f: with contextlib.closing(mmap.mmap(f.fileno(), 0, access=mmap.ACCESS_READ)) as buf: fh = FileHeader(buf, 0x0) for xml, record in evtx_file_xml_view(fh): print "================================" el = ykei(xml) # xml로 변형된 내용을 이용해서 객체 생성 if el.parsingXml() != 0: # 로그온-오프 로그가 아니면 db에 삽입하지 않음 no += 1 # 번호 증가 el.insertDB(no)
def dump_driverframeworks_log(event_file, xml_format): events_list = list() if os.path.isfile(event_file) is False: print("The log file : " + event_file + " is not found.") return print("USB related event(s) found in the event log :") print("=============================================\n") with open(event_file, 'r') as f: with contextlib.closing(mmap.mmap(f.fileno(), 0, access=mmap.ACCESS_READ)) as buf: fh = FileHeader(buf, 0x0) for xml, record in evtx_file_xml_view(fh): root = ET.fromstring(xml) if root[0][1].text == '2003' or root[0][1].text == '2004' or root[0][1].text == '2005' or \ root[0][1].text == '2010' or root[0][1].text == '2100' or root[0][1].text == '2102' or \ root[0][1].text == '2105': if xml_format: evt = EventXML(root[0][7].get('SystemTime'), xml) events_list.append(evt) else: evt = Event(root[0][7].get('SystemTime'), root[0][1].text, root[0][12].text, root[0][13].get('UserID'), utils.find_username_by_sid(root[0][13].get('UserID')), str.split(str(root[1][0].tag), "}")[1], str(root[1][0].get('lifetime')), str(root[1][0].get('instance'))) events_list.append(evt) events_list.sort(key=lambda x: x.datetime) if xml_format: for eventxml in events_list: print eventxml.xmlstring else: for event in events_list: print "UTC Time : " + event.datetime print "EventID : " + event.event_id + " | Description : " + event.description + \ " | Computer : " + event.computer_name + " | User SID : " + event.user_sid + \ " | User : "******"Lifetime : " + event.lifetime print event.device_instance_id + "\n" print str(len(events_list)) + " event(s) found."
def Magic(evtx): ps_scripts_ran = [] for xml, row in evtx_file_xml_view(evtx.get_file_header()): try: for entry in to_lxml(xml): R_ID = entry.xpath("/Event/System/EventRecordID")[0].text #print R_ID ctime = entry.xpath("/Event/System/TimeCreated")[0].get( "SystemTime") #print ctime Computer = entry.xpath("/Event/System/Computer")[0].text #print Computer user = entry.xpath("/Event/System/Security")[0].text #print user paths = str( to_lxml(xml).xpath("/Event/EventData/Data")[0].text) path = "" for line in paths.split("\n"): #print path if "HostApplication" in line: line.split("HostApplication=")[1] path = line regex_Base64 = "" if "-EncodedCommand" in path: regex_Base64 = (path.split("-EncodedCommand")[1]).strip() elif "-enc" in path: regex_Base64 = (path.split("-enc")[1]).strip() else: regex_Base64 = "No Base64 Found" exists = False for item in ps_scripts_ran: if item[3] == path: exists = True if not exists: ps_scripts_ran.append([ R_ID, str(ctime).replace(" ", "Timee") + "Z", Computer, path, regex_Base64 ]) except Exception: continue return ps_scripts_ran
def extract_xml(evtx_file): """ Parse the evtx file and extract just the xml parts of each event. If the function throws an error, we'll catch it and just return the value we have with the error. """ with Evtx(evtx_file) as evtx: for xml, record in evtx_file_xml_view(evtx.get_file_header()): try: # Successfully parsed! Return the lxml object yield to_lxml(xml), None except etree.XMLSyntaxError as e: # Parse failed, return what we have and an exception object yield xml, e
def xml_records(filename): """ If the second return value is not None, then it is an Exception encountered during parsing. The first return value will be the XML string. @type filename str @rtype: generator of (etree.Element or str), (None or Exception) """ with Evtx(filename) as evtx: for xml, record in evtx_file_xml_view(evtx.get_file_header()): try: yield to_lxml(xml), None except etree.XMLSyntaxError as e: yield xml, e
def eventlog(self, path): """Iterates over the Events contained within the log at the given path. For each Event, yields a XML string. """ self.logger.debug("Parsing Event log file %s.", path) with NamedTemporaryFile(buffering=0) as tempfile: self._filesystem.download(path, tempfile.name) file_header = FileHeader(tempfile.read(), 0) for xml_string, _ in evtx_file_xml_view(file_header): yield xml_string
def main(): parser = argparse.ArgumentParser( description="Extract Common Windows Account Change Events", usage='parse_evtx_account_changes.py Security.evtx -n') parser.add_argument("evtx", type=str, help='Security.evtx ') parser.add_argument("-n", "--NoHeader", default=False, action="store_true", help="Do not print Header") args = parser.parse_args() header = (','.join(map(str, event_info_names + event_data_names))) if not args.NoHeader: print(header) with open(args.evtx, 'r') as f: with contextlib.closing( mmap.mmap(f.fileno(), 0, access=mmap.ACCESS_READ)) as buf: fh = FileHeader(buf, 0x0) for xml, record in evtx_file_xml_view(fh): soup = BeautifulSoup(xml, "lxml") Date = soup.event.system.timecreated['systemtime'] Date = Date[:-7] EventID = int(soup.event.system.eventid.string) Computer = soup.event.system.computer.string if EventID in evtxs: event_info = "%s,%s,%s,%s," % (Date, EventID, evtxs[EventID], Computer) try: event_data = {} for child in soup.eventdata.children: if type(child) is element.Tag: event_data[child['name']] = ' '.join( child.text.split()) event_data_result = [] for value in event_data_names: result = event_data.get(value) if result is None: result = '' event_data_result.append(result) output = ((event_info) + ','.join(map(str, event_data_result))) print(output) except: pass
def parse(filename): bulk_data = [] with open(filename) as infile: with contextlib.closing( mmap.mmap(infile.fileno(), 0, access=mmap.ACCESS_READ)) as buf: fh = FileHeader(buf, 0x0) for xml, record in evtx_file_xml_view(fh): contains_event_data = False log_line = EvtxToElk.build_json(xml) bulk_data.append(json.loads(json.dumps(log_line))) return bulk_data
def main(): parser = argparse.ArgumentParser( description="Extract Common Windows Scheduled Tasks Events to CSV") parser.add_argument( "WinEventLog", type=str, help="Path to Microsoft-Windows-TaskScheduler4Operational.evtx") args = parser.parse_args() with open(args.WinEventLog, 'r') as f: print(header) with contextlib.closing( mmap.mmap(f.fileno(), 0, access=mmap.ACCESS_READ)) as buf: fh = FileHeader(buf, 0x0) for xml, record in evtx_file_xml_view(fh): soup = BeautifulSoup(xml, "lxml") Date = soup.event.system.timecreated['systemtime'] Date = Date[:-7] EventID = int(soup.event.system.eventid.string) ProcessID = soup.event.system.execution['processid'] ThreadID = soup.event.system.execution['threadid'] EventDataName = soup.eventdata['name'] Keywords = soup.event.system.keywords.string if EventID: event_info = "%s,%s,%s,%s,%s," % \ (Date, EventID, EventDataName, ProcessID, ThreadID) try: event_data = {} for child in soup.eventdata.children: if type(child) is element.Tag: event_data[child['name']] = ' '.join( child.text.split()) event_data_result = [] for value in event_data_names: result = event_data.get(value) if result is None: result = '' event_data_result.append(result) except: pass print((event_info) + ','.join(map(str, event_data_result)))
def main(): parser = argparse.ArgumentParser( description="Dump a binary EVTX file into XML.") parser.add_argument("--cleanup", action="store_true", help="Cleanup unused XML entities (slower)"), parser.add_argument("evtx", type=str, help="Path to the Windows EVTX event log file") args = parser.parse_args() with open(args.evtx, 'r') as f: with contextlib.closing(mmap.mmap(f.fileno(), 0, access=mmap.ACCESS_READ)) as buf: fh = FileHeader(buf, 0x0) print("<?xml version=\"1.0\" encoding=\"utf-8\" standalone=\"yes\" ?>") print("<Events>") for xml, record in evtx_file_xml_view(fh): print(ascii(xml)) print("</Events>")
def main(): parser = argparse.ArgumentParser( description="Dump a binary EVTX file into XML.") parser.add_argument("--cleanup", action="store_true", help="Cleanup unused XML entities (slower)"), parser.add_argument("evtx", type=str, help="Path to the Windows EVTX event log file") args = parser.parse_args() with open(args.evtx, 'r') as f: with contextlib.closing(mmap.mmap(f.fileno(), 0, access=mmap.ACCESS_READ)) as buf: fh = FileHeader(buf, 0x0) print "<?xml version=\"1.0\" encoding=\"utf-8\" standalone=\"yes\" ?>" print "<Events>" for xml, record in evtx_file_xml_view(fh): print xml print "</Events>"
def main(): import argparse parser = argparse.ArgumentParser( description="Print the record numbers of EVTX log entries " "that match the given EID." ) parser.add_argument("evtx", type=str, help="Path to the Windows EVTX file") parser.add_argument("eid", type=int, help="The EID of records to extract") args = parser.parse_args() with Evtx(args.evtx) as evtx: for xml, record in evtx_file_xml_view(evtx.get_file_header()): try: node = to_lxml(xml) except XMLSyntaxError: continue if args.eid != int(get_child(get_child(node, "System"), "EventID").text): continue print(record.record_num())
def main(): import argparse parser = argparse.ArgumentParser( description="Print the record numbers of EVTX log entries " "that match the given EID.") parser.add_argument("evtx", type=str, help="Path to the Windows EVTX file") parser.add_argument("eid", type=int, help="The EID of records to extract") args = parser.parse_args() with Evtx(args.evtx) as evtx: for xml, record in evtx_file_xml_view(evtx.get_file_header()): try: node = to_lxml(xml) except XMLSyntaxError: continue if args.eid != int(get_child(get_child(node, "System"), "EventID").text): continue print record.record_num()
def main(): parser = argparse.ArgumentParser(description="Dump specific event ids from a binary EVTX file into XML.") parser.add_argument("--cleanup", action="store_true", help="Cleanup unused XML entities (slower)"), parser.add_argument("evtx", type=str, help="Path to the Windows EVTX event log file") parser.add_argument("out", type=str, help="Path and name of the output file") parser.add_argument("--eventID", type=int, help="Event id that should be extracted") args = parser.parse_args() outFile = open(args.out, 'a+') with open(args.evtx, 'r') as f: with contextlib.closing(mmap.mmap(f.fileno(), 0, access=mmap.ACCESS_READ)) as buf: fh = FileHeader(buf, 0x0) outFile.write("<?xml version=\"1.0\" encoding=\"utf-8\" standalone=\"yes\" ?>") outFile.write("<Events>") for xml, record in evtx_file_xml_view(fh): xmldoc = minidom.parseString(xml) event_id = xmldoc.getElementsByTagName('EventID')[0].childNodes[0].nodeValue if event_id == str(args.eventID): outFile.write(xml) else: continue outFile.write("</Events>")
def searchEvent(buf): taskList = {} fh = FileHeader(buf, 0x0) for xml, Record in evtx_file_xml_view(fh): try: record = toLxml(xml).xpath("/Event/System/EventID")[0].text event = toLxml(xml).xpath("/Event/System/Task")[0].text ctime = toLxml(xml).xpath("/Event/System/TimeCreated")[0].get("SystemTime") taskAction = toLxml(xml).xpath("/Event/EventData/Data") evZro = '' evOne = '' evTwo = '' evThr = '' try: evZro = getZero(xml) except: pass try: evOne = getOne(xml) except: pass try: evTwo = getTwo(xml) except: pass try: evThr = getThree(xml) except: pass if record in taskList: taskList[record].append([record, ctime, event, taskAction, evZro, evOne, evTwo, evThr]) else: taskList[record] = [[record, ctime, event, taskAction, evZro, evOne, evTwo, evThr]] except(etree.XMLSyntaxError, IndexError) as e: continue return taskList
def xml_records(filename): if args.evtx: with Evtx(filename) as evtx: for xml, record in evtx_file_xml_view(evtx.get_file_header()): try: yield to_lxml(xml), None except etree.XMLSyntaxError as e: yield xml, e, fh if args.xmls: with open(filename,'r') as fx: xdata = fx.read() fixdata = xdata.replace("<?xml version=\"1.0\" encoding=\"utf-8\" standalone=\"yes\"?>", "").replace("</Events>", "").replace("<Events>", "") # fixdata = xdata.replace("<?xml version=\"1.0\" encoding=\"utf-8\" standalone=\"yes\"?>", "") del xdata xml_list = fixdata.split("<Event xmlns=\'http://schemas.microsoft.com/win/2004/08/events/event\'>") del fixdata for xml in xml_list: if xml.startswith("<System>"): try: yield to_lxml("<Event>" + xml), None except etree.XMLSyntaxError as e: yield xml, e, fh
__author__ = 'berluskuni'